Bug 1155301

Summary: SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 21CC: dwalsh, robatino, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-90.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 21:49:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043124    

Description Adam Williamson 2014-10-21 21:01:03 UTC 
Testing deployment of FreeIPA via Rolekit in Fedora 21 Beta TC4.

To reproduce, install Beta TC4 from Server DVD and follow https://fedorahosted.org/rolekit/wiki/DomainController .

In /var/log/audit/audit.log I see these denials:

type=USER_AVC msg=audit(1413923153.653:461): pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.23 spid=3366 tpid=1876 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1413923178.251:462): pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.23 spid=3366 tpid=1876 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Getting the time stamps with ausearch, they coincide with this block in the journal. The first denial coincides with the last *successful* action (enabling of certmonger.service) which occurs before this block is shown, and the second denial occurs at the same time as this output block appears.

Oct 21 13:26:18 ipa001.domain.local roled[1265]: 2014-10-21 13:26:18 ERROR: ERROR:dbus.proxies:Introspect error on :1.22:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: ipa         : DEBUG      File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 639, in run_script
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     return_value = main_function()
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/sbin/ipa-server-install", line 1095, in main
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     dm_password, subject_base=options.subject)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 484, in configure_instance
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     self.start_creation(runtime=210)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 367, in start_creation
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     method()
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1439, in configure_certmonger_renewal
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     return self._proxy_method(*args, **keywords)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     **keywords)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     message, timeout)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: ipa         : DEBUG    The ipa-server-install command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: Unexpected error - see /var/log/ipaserver-install.log for details:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: <class 'rolekit.errors.RolekitError'>: COMMAND_FAILED: 256

As this causes FreeIPA deployment to fail, nominating as a Beta blocker bug per criterion:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles
Comment 1 Miroslav Grepl 2014-10-22 14:58:52 UTC 
*** Bug 1155304 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2014-10-22 14:59:29 UTC 
We need to get roled policy from another bug to F21.
Comment 3 Adam Williamson 2014-10-22 17:25:56 UTC 
Discussed at 2014-10-22 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a blocker per criterion cited in description.
Comment 4 Fedora Update System 2014-10-22 22:01:27 UTC 
selinux-policy-3.13.1-90.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
Comment 5 Fedora Update System 2014-10-23 16:20:48 UTC 
Package selinux-policy-3.13.1-90.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
then log in and leave karma (feedback).
Comment 6 Adam Williamson 2014-10-27 18:15:55 UTC 
sgallagh reported success in verifying the fix with Beta RC1: marking as VERIFIED.
Comment 7 Fedora Update System 2014-10-28 21:49:43 UTC 
selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.